Faction includes two different API’s. One is REST based and will allow you to query and create just about anything that you can do via the web interface. You can write your one scripts to update findings, create assessments, or run reports.

The Second API is our Integration API and it is event triggered. This allows you to run custom code to integrate Faction into your existing systems like Jira or your own application inventory program. This post will discuss how you could integrate Faction into Jira to submit bugs directly to development teams for tracking.

INTEGRATION API WEB INTERFACE

Log into Faction as an administration and navigate to the Integration API page. It should look something like the following screenshot. On this page you can write custom python code that will execute when certain conditions happen inside of Faction. There are two boxes on the right of the screen. These inform you of the input arguments and output variables that are available to you. These are accessible from the ‘inputs’ variable and have a class type of VTKVPair. This is a simple key-value pair object that you can use. All outputs are expected to be Arrays of VTKVPairs. This might sound cumbersome at first but its really easy. Just keep reading.

ACCESSING INPUT VARIABLES:

Input variables are accessible as key-value pairs with the ‘key’ existing from the list of ‘Input Variables’ in the top right box of the page. For referrence here is the full set of variables that can be accessed on an Assessment Completed Event.

RETURNING VARIABLES TO FACTION

You can update the Faction database with external sources. These variables that are accepted back into Faction are defined in the Output Format Table. Below are the output variables for an Assessment Completed Event.

vulnId
tracking

These variables must be Key-Value pairs in an Array. To return an updated trackingId that would be from an external system you do something similar to the following code:

After finalizing an assessment our vulnerabilities are uploaded to Jira and formatted similar to how they exist in the report. Notice full vulnerability exploit steps and descriptions are added to the issues created in JIRA.

Now we can query for the vulnerability in Faction and find the Jira ID.

Search by our Tracking Id in JIRA:

Reports are automatically updated the the external system’s tracking number as well.